Inspect360 Suite engages the following third-party service providers ("sub-processors") to deliver and operate the Service. This register is published in fulfilment of GDPR Article 28(2)–(4), UK GDPR, and Saudi Arabia's PDPL disclosure obligations. Customers on Enterprise plans may subscribe to receive notice of any change in advance of onboarding new sub-processors.
| Provider | Purpose | Data Categories | Processing Region | Transfer Safeguards |
|---|---|---|---|---|
| Supabase, Inc. Privacy policy |
Primary data platform: Postgres database, authentication, object storage, edge functions | Account data, inspection data, files, auth tokens, audit logs | Singapore AWS ap-southeast-1 |
GDPR SCCs 2021/914/EU Module 2 + UK IDTA (no Singapore adequacy decision); Supabase DPA in effect |
| Google LLC — Identity Platform (Sign-In) Privacy policy |
OAuth authentication (optional; only if user signs in with Google) | Email, name, profile image, Google account ID | US / Global | EU–US Data Privacy Framework + SCCs |
| Google LLC — Gemini API Gemini API terms |
AI-assisted inspection analysis, text generation, image understanding | Inspection photos, finding descriptions, checklist text (no account credentials) | US / Global | SCCs + Gemini API Data Processing Addendum. No customer data is used to train Google's models. |
| Anthropic, PBC — Claude API Privacy policy |
Backup AI model for specialist inspection workloads (used selectively) | Inspection text, checklist prompts (no photos unless explicitly enabled) | US | SCCs + Anthropic Commercial Terms. Zero-retention API mode enabled. |
| Stripe Payments UK Ltd Privacy policy |
Payment processing, subscription billing, invoicing (paid plans only) | Billing name, email, billing address, last-4 of card (full PAN never touches our servers) | UK (onward transfers to Stripe group) | PCI DSS Level 1 certified; UK IDTA + SCCs for onward transfers; Stripe DPA |
| Resend (Postmark / transactional email) Privacy policy |
Delivery of transactional email (verification, password reset, account-deletion notices, CAPA alerts) | Email address, message body | US / EU | SCCs + Resend DPA |
| Cloudflare, Inc. Privacy policy |
CDN, DDoS protection, TLS termination for marketing site and static assets | IP address, request metadata (no inspection data) | Global edge | SCCs; Cloudflare DPA |
| Vercel, Inc. Privacy policy |
Hosting of the web application bundle (static + edge) | IP address, request metadata (no inspection data stored) | US + regional edges | SCCs; Vercel DPA |
Default (Solo · Team · Business · Compliance plans): customer inspection data (photos, findings, reports, audit logs) is stored in Singapore (AWS ap-southeast-1) via Supabase. Singapore does not benefit from a UK or EU adequacy decision, so transfers of UK/EU personal data into the default tenant are made on the basis of the EU Standard Contractual Clauses 2021/914/EU, Module 2, supplemented by the UK International Data Transfer Addendum, each incorporated into our Data Processing Addendum.
Enterprise plan — KSA residency option: Enterprise customers requiring Saudi PDPL residency may opt into a dedicated tenant hosted directly on Google Cloud Platform in Saudi Arabia (me-central2, Dammam). This tenant runs on native GCP services (Cloud SQL for PostgreSQL, Identity Platform, Cloud Storage, Cloud Run) rather than Supabase — the sub-processor for that tenant is Google LLC in place of Supabase, Inc. All inspection data, backups, authentication, and AI inference routing for a KSA tenant stay in-Kingdom. Other regional hosting (e.g. Supabase-managed London eu-west-2 or Frankfurt eu-central-1) is also available on request. AI inference, transactional email, and payment metadata may still be processed in further regions under the safeguards shown above, with customer-specific controls documented in the Enterprise order form.
A versioned changelog of additions and removals will appear here once the first change is made. Enterprise customers subscribed to change notices receive email alerts with 30 days' notice.
Data Protection Officer: dpo@inspect360suite.com
Subject-access / data-subject requests: dpo@inspect360suite.com (30-day response SLA)